[KERNEL] Power over OTG host mod. - ONE Android Development

[From my README]
A mod for the Oneplus One DWC3 otg module. This allows for charging and host mode simultaneously, inspired by Ziddey's msm_otg mod for the Nexus 4/7 (2013). Functionality was ported over from his kernel hack to the DWC3 USB driver which now handles the MSM8974 USB controller.
The hack works through setting a custom module parameter I've added to allow 'ACA' host mode. This flag effectively turns on ID_A host mode while disabling VBUS power going to the hosted device. I've uploaded the modded dwc3_otg.c file that you can replace in your Oneplus One(bacon) kernel source of choice. It'll be located in the drivers/usb/dwc3/ directory. I've also uploaded my personal kernel image with this hack built on top of Franco's kernel. It also has other modules built into it, mainly DRM/Devtmpfs/Cifs/NFS/NTFS/Alsa Sequencer/Usbip/Binfmt/loadable modules/etc... It was compiled with GCC 4.9 NDK version.
Usage: First you'll need either a generic Y split USB OTG cable or a powered USB hub connected to regular OTG(I've only tested the Y cable).
With the modified kernel flashed, open a terminal shell and as root, enter the following command: "echo Y > /sys/module/dwc3/parameters/aca_enable"
This activates the 'ACA' host mode hack.
[UPDATE]
Wiggling the cord is not needed anymore. I've updated the code so that the phone automatically accepts a charge on entering host mode.
The tricky part is now getting your Y-OTG adapter to send power to the phone. First with power cable and USB device(s) connected the adapter, plug the Y cable into the phone. Test that the phone reads the device. Now, unplug the cable from the phone, leaving the USB device and power cord plugged into the OTG adapter. Gently wiggle the cable slightly while slowly pushing it back into the phone's port, wait for the charge indicator to come on. Once the phone detects the charge, you can push the cable in all the way. The phone should be charging at max current rate while retaining host mode.
Please, if you can test the powered hub method or have improvements to this hack, feel free to share! Also, the standard legal disclaimer applies here that by using this mod/code/kernel in anyway is completely your responsibility. I'm not liable for any possible damages to your devices.
Links:
DWC3 OTG Modification For OnePlus One
https://github.com/sollapse/opo_dwc3_otg/
Ziddey's Original ACA hack for Mako
https://github.com/ziddey/mako/commits/nightlies-4.3-JSS
Franco's Oneplus One Kernel Source
https://github.com/franciscofranco/one_plus_one

Hi sollapse, thank you a lot for this patch, i modified it a little for my xperia z2, it seems to be working just fine, it detects when power is disconnected and switches back to OTG_STATE_A_IDLE automatically, anyway, the only thing that i couldnt get to work is once it is on host mode, when i connect the power it doesnt start charging, perhaps you can find a way to get it working, here's my patch:
Code:
--- dwc3_otg.c 2015-09-22 14:44:45.115324661 -0300
+++ dwc3_otg.c.new 2015-09-22 14:47:40.950239287 -0300
@@ -45,6 +45,12 @@ static void dwc3_otg_reset(struct dwc3_o
static void dwc3_otg_notify_host_mode(struct usb_otg *otg, int host_mode);
static void dwc3_otg_reset(struct dwc3_otg *dotg);
+/*OTG charging hack*/
+static bool aca_enable = 0;
+static bool enable_otg_charge = 0;
+module_param(enable_otg_charge, bool, S_IRUGO | S_IWUSR);
+MODULE_PARM_DESC(enable_otg_charge, "Force ACA host mode to allow charging and host.");
+
/**
* dwc3_otg_set_host_regs - reset dwc3 otg registers to host operation.
*
@@ -204,41 +210,45 @@ static int dwc3_otg_start_host(struct us
if (!dwc->xhci)
return -EINVAL;
-
- if (!dotg->vbus_otg) {
- dotg->vbus_otg = devm_regulator_get(dwc->dev->parent,
- "vbus_dwc3");
- if (IS_ERR(dotg->vbus_otg)) {
- dev_err(dwc->dev, "Failed to get vbus regulator\n");
- ret = PTR_ERR(dotg->vbus_otg);
- dotg->vbus_otg = 0;
- return ret;
- }
- }
-
+
+ if(!aca_enable){
+ if (!dotg->vbus_otg) {
+ dotg->vbus_otg = devm_regulator_get(dwc->dev->parent,
+ "vbus_dwc3");
+ if (IS_ERR(dotg->vbus_otg)) {
+ dev_err(dwc->dev, "Failed to get vbus regulator\n");
+ ret = PTR_ERR(dotg->vbus_otg);
+ dotg->vbus_otg = 0;
+ return ret;
+ }
+ }
+ }
+
if (on) {
dev_dbg(otg->phy->dev, "%s: turn on host\n", __func__);
dwc3_otg_notify_host_mode(otg, on);
-
- /* register ocp notification */
- if (ext_xceiv && ext_xceiv->otg_capability &&
- ext_xceiv->ext_ocp_notification.notify) {
- ret = regulator_register_ocp_notification(
- dotg->vbus_otg,
- &ext_xceiv->ext_ocp_notification);
- if (ret)
- dev_err(otg->phy->dev,
- "unable to register ocp\n");
- }
-
- ret = regulator_enable(dotg->vbus_otg);
- if (ret) {
- dev_err(otg->phy->dev, "unable to enable vbus_otg\n");
- dwc3_otg_notify_host_mode(otg, 0);
- return ret;
- }
-
+
+ if(!aca_enable){
+ /* register ocp notification */
+ if (ext_xceiv && ext_xceiv->otg_capability &&
+ ext_xceiv->ext_ocp_notification.notify) {
+ ret = regulator_register_ocp_notification(
+ dotg->vbus_otg,
+ &ext_xceiv->ext_ocp_notification);
+ if (ret)
+ dev_err(otg->phy->dev,
+ "unable to register ocp\n");
+ }
+
+ ret = regulator_enable(dotg->vbus_otg);
+ if (ret) {
+ dev_err(otg->phy->dev, "unable to enable vbus_otg\n");
+ dwc3_otg_notify_host_mode(otg, 0);
+ return ret;
+ }
+ }
+
/* The delay between enabling regulator and adding the
platform device is needed to succeed in the enumeration
for certain devices. */
@@ -269,7 +279,9 @@ static int dwc3_otg_start_host(struct us
dev_err(otg->phy->dev,
"%s: failed to add XHCI pdev ret=%d\n",
__func__, ret);
- regulator_disable(dotg->vbus_otg);
+ if(!aca_enable)
+ regulator_disable(dotg->vbus_otg);
+
dwc3_otg_notify_host_mode(otg, 0);
return ret;
}
@@ -279,24 +291,27 @@ static int dwc3_otg_start_host(struct us
dwc3_otg_reset(dotg);
} else {
dev_dbg(otg->phy->dev, "%s: turn off host\n", __func__);
-
- ret = regulator_disable(dotg->vbus_otg);
- if (ret) {
- dev_err(otg->phy->dev, "unable to disable vbus_otg\n");
- return ret;
- }
-
- /* unregister ocp notification */
- if (ext_xceiv && ext_xceiv->otg_capability &&
- ext_xceiv->ext_ocp_notification.notify) {
- ret = regulator_register_ocp_notification(
- dotg->vbus_otg, NULL);
- if (ret)
- dev_err(otg->phy->dev,
- "unable to unregister ocp\n");
- }
-
- dwc3_otg_notify_host_mode(otg, on);
+
+ if(!aca_enable){
+ ret = regulator_disable(dotg->vbus_otg);
+ if (ret) {
+ dev_err(otg->phy->dev, "unable to disable vbus_otg\n");
+ return ret;
+ }
+
+ /* unregister ocp notification */
+ if (ext_xceiv && ext_xceiv->otg_capability &&
+ ext_xceiv->ext_ocp_notification.notify) {
+ ret = regulator_register_ocp_notification(
+ dotg->vbus_otg, NULL);
+ if (ret)
+ dev_err(otg->phy->dev,
+ "unable to unregister ocp\n");
+ }
+ }
+
+ if(!aca_enable)
+ dwc3_otg_notify_host_mode(otg, on);
platform_device_del(dwc->xhci);
/*
@@ -341,8 +356,11 @@ static int dwc3_otg_set_host(struct usb_
* required for XHCI controller before setting OTG Port Power
* TODO: Tune this delay
*/
- msleep(300);
- dwc3_otg_set_host_power(dotg);
+
+ msleep(300);
+ if(!aca_enable){
+ dwc3_otg_set_host_power(dotg);
+ }
} else {
otg->host = NULL;
}
@@ -972,7 +990,17 @@ static void dwc3_otg_sm_work(struct work
dev_dbg(phy->dev, "vbus_drop_det\n");
/* staying on here until exit from A-Device */
} else {
- phy->state = OTG_STATE_A_HOST;
+ //if we have power and enable_otg_charge, force charging on
+ if (test_bit(B_SESS_VLD, &dotg->inputs) && enable_otg_charge){
+ if(charger){
+ dev_info(phy->dev, "OTG charging is ON!!!\n");
+ aca_enable = 1;
+ charger->chg_type =DWC3_SDP_CHARGER;
+ dwc3_otg_set_power(phy, DWC3_IDEV_CHG_MAX);
+ }
+ } else
+ aca_enable = 0;
+ phy->state = OTG_STATE_A_HOST;
ret = dwc3_otg_start_host(&dotg->otg, 1);
if ((ret == -EPROBE_DEFER) &&
dotg->vbus_retry_count < 3) {
@@ -1000,7 +1028,15 @@ static void dwc3_otg_sm_work(struct work
break;
case OTG_STATE_A_HOST:
- if (test_bit(ID, &dotg->inputs)) {
+ if (enable_otg_charge){
+ //detect power change and switch back to OTG_STATE_A_IDLE
+ if(!test_bit(B_SESS_VLD, &dotg->inputs)){
+ dev_info(phy->dev, "Power disconnected, charging disabled!!!\n");
+ dwc3_otg_start_host(&dotg->otg, 0);
+ phy->state = OTG_STATE_A_IDLE;
+ work = 1;
+ }
+ } else if (test_bit(ID, &dotg->inputs)) {
dev_dbg(phy->dev, "id\n");
dwc3_otg_start_host(&dotg->otg, 0);
phy->state = OTG_STATE_B_IDLE;

I've updated my code a couple of days ago to automatically apply power during the state change, assuming a charger is connected to the y cable (USB devices would not power otherwise). In your mod, it seems you're attempting to detect a charge using the 'B' mode state, but by that time with the aca flag enabled, the USB controller should be in ID_A host mode instead of B_SESS_VLD. The driver's 'set_power' function already checks the line for current automatically. Please look at the updated code to see what I did during the state change. It should all work utilizing the one parameter flag.

I tested this with a patched sultanXDA CAF kernel (since the .c source file was slightly different, I was careful to only merge the relevant changes), and a powered USB HUB. It works perfectly! Thanks.

Phoenix Wright said:
I tested this with a patched sultanXDA CAF kernel (since the .c source file was slightly different, I was careful to only merge the relevant changes), and a powered USB HUB. It works perfectly! Thanks.
Click to expand...
Click to collapse
That's great! I'm pretty certain with the push to USB Type C and potential USB 3.1 support, that the DWC3 driver will be used across most devices for now on. This code should merge well with them if ACA is absent (Zenphone 2 is the only exception I've found so far since Intel enabled it in the driver).

Can someone post a modded CAF kernel for the opo? I am having issues building a kernel as I currently only have a windows box.

snekiam said:
Can someone post a modded CAF kernel for the opo? I am having issues building a kernel as I currently only have a windows box.
Click to expand...
Click to collapse
Latest Sultanxda kernel (as of 10/4), with the CAF dwc_otg modified with sollapse's patches. His sources are here: https://github.com/sultanxda/android_kernel_oneplus_msm8974
I used Google GCC 4.8, which is the same one he uses, as far as I could tell.
View attachment sultan10-4_otg-y.7z
@sollapse I noticed a bug. I made two widgets with an app on Play Store (to enable and disable this hack). I disabled this by mistake while the OTG device and charge were still inserted, and after I removed them I got a kernel panic, could this be fixed?

I should be able to fix it. I'll look at it again and will try to clean up the state change code.

Kernel
Can someone please upload a kernel .img?
I am not able to compile a kernel on my own....

@sollapse I fixed the kernel panics, and also another bug (when the aca_enable parameter was on, you couldn't charge at full speed with a wall charger - not in host mode, just simple charging). I've done all possible status changes (set aca_enable to on, insert otg-y cable + device, turn aca_enable off, unplug device; aca_enable is off, plug regular otg cable + device, turn aca_enable on, unplug device, set aca_enable to off, re-plug). These two situations respectively gave these results: kernel panic and inability to use regular otg again.
Turns out that the issues were with "regulator_disable", now it's executed when the regulator is enabled, regardless of the aca_enable parameter.

Another fix for incorrect usage: if you connected a regular OTG cable+device while aca_enable was set to Y, it would show the charging icon, and it would even stay there after the device was disconnected! Sadly I can't prevent the charging icon from appearing (as this hack basically forces all the "unknown" chargers to be reported as USB - as opposed to AC - chargers... and the weird part is that the charge coming from OTG-Y is an "unknown charger"... but the charge (?) coming from a regular OTG device is an "unknown charger" too! XD, if there's a way it's out of reach for me), but I managed to make it go away after disconnection. Basically, it doesn't force "unknown" to USB if the function gets called to *disable* charging. I guess this is the best I can do for this kernel mod ^_^

It looks I was wrong, after lots of debugging of dwc3_otg I learned how it works, so I overhauled the patch. It works more cleanly now: it actually properly detects the charger (no more phantom notifications, faster charging rates if it's allowed by the charger), supports unplugging and replugging of the power cord while using OTG-Y, and unplugging of the device after power was unplugged, fixes all sorts of race conditions and wrong usages of the aca_enable parameter (I'm not sure if it's all of them, but I've been testing and fixing things for a while).
I attach a .diff for CAF kernels. Take note that to use the fix for plugging OTG devices in sleep mode you need to patch the charger driver: https://github.com/sultanxda/androi...mmit/7b023b295fdfa4789c93aee8b04f5d2a9b52dbba

Wow, I've completely abandoned this hack since it's worked well enough for me . Also haven't had much time due to work and other necessities. Thanks for the patches @Phoenix Wright for cleaning up this hack! This should be a standard addition to all future Android kernels.

sollapse said:
Wow, I've completely abandoned this hack since it's worked well enough for me . Also haven't had much time due to work and other necessities. Thanks for the patches @Phoenix Wright for cleaning up this hack! This should be a standard addition to all future Android kernels.
Click to expand...
Click to collapse
Yeah, I wonder why they haven't implemented the feature officially, as it can be done just fine
And many thanks for developing this
By the way, I realized the reboots when inserting an OTG-Y device in deep sleep were not actually fixed, as I got a reboot yesterday, my bad (sultanxda fixed the issues with doing it with regular OTG, but it seems the issue with OTG-Y was different). It seems it's fixed properly this time though. Same patch as yesterday, just a two line difference.

Thanks for the original mod, sollapse, and thanks for your patches and all the updates, Phoenix. Just to confirm: this mod requires that on every kernel update via Sultan's OTA, the kernel source be pulled, patched, flashed onto your OPO, and finally activated using the aca command?
I'm off to go learn how to build a kernel from this handy guide, if anyone else is interested in jumping on this exciting bandwagon.
http://forum.xda-developers.com/android/software/ultimate-guide-compile-android-kernel-t2871276
EDIT: Thought I'd keep everyone abrest of my progress as a total newbie trying this out. I've used Ubunutu before, but had a lot of headaches trying to get my network working properly.
5:00pm: started the downloads of Ubuntu and Virtualbox. I have Hyper-V support (which is supposedly faster) on my desktop rig, but it has network issues, so I went with Virtualbox. Apparently, one of the things needed to create a kernel is a "toolchain". The guide uses "arm-eabi-4.33", but Phoenix and apparently sultan use gcc 4.8, so we'll go with that. But, how do I replace them? Can I just switch the git urls with this one I found of Google's toolchain?
5:30pm: got Ubuntu's 15.10 iso downloaded and VirtualBox installed. We'll figure out the toolchains later.
5:45pm: OK, Ubuntu is installing. I did the default on everything (2GB RAM, 8GB virtual hard disk). Booted up, installed it, and rebooted. "SQUASHFS errors" on first Ubuntu boot. The issues begin early, lol.
5:50pm: Checked the iso's MD5, matches up. Google'd around, but only random fixes that don't really fit (updating my BIOS? on a virtualbox?!). OK, let's try again with 3GB of RAM (my rig has 8GB) and 12GB of disk space.
5:55pm: "SquashFS errors" again. Whhhhhhhyyyy, Ubuntu, whyyyyyyyyy.
5:56pm: Hmm, what if I just shut down the virtual box and just try starting Ubuntu again?
5:57pm: HOLYCOWITWORKED. Thank you, Ubuntu--I love you.
5:58pm: Why is the resolution so small even though Ubuntu is installed? Everything is huge and my mouse is a little laggy.
6:05pm: OK, from a StackExchange post: you need "Guest Additions" to change the resolution. In the VirtualBox window (not in Ubuntu), you just click "Install Guest Additions" and it does its thing. It actually inserts the files as a virtual CD, haha. That's neat.
6:15pm: Trying to get the hang of "Right Control" as "host key". But, wait, why can't I copy/paste between my host and guest (copying all the commands from the guide linked above)? I feel like I had that last time I used VirtualBox. The Firefox in Ubunutu is really slow, too, and troubleshooting is mostly through Google right now, lol, and I don't want slow troubleshooting.
6:20pm: Oh, bidirectional copy/paste needs to be enabled. I see....
6:22pm: I FEEL LIKE A GOD NOW. I can copy and paste between TWO operating systems running my PC. WOWZA....I don't know what enromous amount of engineering that required, but it is a killer feature.
6:26pm: I'm trying to learn all the commands that the guide is using, just in case I mess up somewhere. What does the "-y" do in apt-get?
6:26:15pm: Thank you, random internet stranger many years ago, about telling me what a "man page" is. It's a simple website/HTML document that will actually explain all the arguments of a command. Great in interpreting the exotic arguments of cerebral StackExchange users....and what "-y" does in apt-get....
6:26:30pm: "-y" just hits "yes" to any prompts or whatever that apt-get invokes. Nice noob feature for people like me, haha. All right, I'm OK with that argument, let's do it!
6:30pm: Next, "mkdir"....well, that makes sense. But, where is it making this folder? How does it know where to put it????
6:33pm: Ah, so there is a "Home" folder that is the default folder. That's where it puts things. I made like 15 folders using "mkdir" and they all appear there.
6:40pm: Let's start! First, I need to grab sultan's kernel. OK, "git clone", let's do it!
6:41pm: "Git is not installed". These errors freak me out, but at least this one is minor, lol. OK: step zero, install git.
6:42pm: THE COMMAND WORKED! First success. But, wow, the kernel is a huge download (300MB+). Damn, wish I started this earlier in the background.
6:44pm: I wonder if I can start installing the other things, too. But, how? Can I open another terminal window?
6:45pm: Yes, you can open another terminal window and even a tab. But, should I install other things? Might that interfere with "git clone"? Why risk it? I mean, it took two hours to get just here...
6:46pm: Throwing caution to the wind. Opening TWO terminal windows and starting apt-get with the other stuff.
6:50pm: No errors so far...
6:55pm: woot! Everything downloaded, nice, nice. OK, the last thing: those toolchains. What even is a toolchain?
6:56pm: OK, a toolchain is basically like a list of directories and their location? Or something? It's like a default variable location "list" or something. Hmm...OK, Phoenix used gcc 4.8, so that's what we'll do!
6:58pm: But, wait, the instructions at the gcc toolchain page say I need the "Android GCC repository" and even more dependencies. But, the guide doesn't mention any of that. Is this specific to the Google one? Looks like more downloading...
6:59pm: Err, hold on. I don't want to BUILD the toolchain. I just want it cloned to my system....I don't need to build the toolchain, right? OK, let's just get the gcc repo first and then we'll see.
7:05pm: Ugh, another huge download. I'm down to 180MB of free space! What? How did I use 12GB already?
7:06pm: Oh, the HDD is only 9.6GB. I guess formatting takes away some of it and Ubuntu's install, too. OK, we'll resize the partition and call it night. To be continued later...

A brief update, as I'm too tired to annotate everything today, haha. The reason the guide uses Doom's toolchains is because they're prebuilt. So, I guess, we'll use those. I'm creating the updated dwc3_otg.c from all the patches, but the hunks are failing after the first patch. Will troubleshoot today by looking at the reject file and see what's being moved around.
EDIT: OK, I actually just opened the patch files. Looks like I just need the latest one to apply to sollapse's original patch. Patches 1/2 are almost identical (and sans full overhaul). Patch 3 is superseded by patch 4. So, just patch 4 is the one you need. Huh. Let's do it! ;D
This guide is great for understanding patch files.

sollapse said:
Wow, I've completely abandoned this hack since it's worked well enough for me . Also haven't had much time due to work and other necessities. Thanks for the patches @Phoenix Wright for cleaning up this hack! This should be a standard addition to all future Android kernels.
Click to expand...
Click to collapse
thanks for your work, it's awesome feature
is there some solution without a kernel compiling ? some custom rom or kernel image

stadnyuk said:
thanks for your work, it's awesome feature
is there some solution without a kernel compiling ? some custom rom or kernel image
Click to expand...
Click to collapse
Its already there in my kernel called lightning kernel check tht sig for the link and if you are on cm then there is another thread in original android dev section

nikhil18 said:
Its already there in my kernel called lightning kernel check tht sig for the link and if you are on cm then there is another thread in original android dev section
Click to expand...
Click to collapse
Thank you, I'll check it. I've installed sultanxda ROM with hope for future kernel updates, but there is some bugs and I think to return to stock CM

nikhil18 said:
Its already there in my kernel called lightning kernel check tht sig for the link and if you are on cm then there is another thread in original android dev section
Click to expand...
Click to collapse
Hi again, I'm stuck with lightning kernel(((
Can't flash it. I'm starting to think I'm completely noon.
Flashing over night build of CM12 the cm version of kernel(V15)
Wipe, flash, wipe
The result - stuck on one plus logo
Flashing again sultanxda ROM, wipe, kernel, gapps
The result - boot loop
Where is the problem? What I'm doing wrong?
Now I'm on a last night build, am I right that I need V15 cm version?
Thank you for helping
PS: I've realized I was flashing cm13 kernel version with cm12 ROM, so flashed sultanxda 12, v33 kernel version - loop boot

Related

[WIP] GL Enabled CM9 ICS

I am posting here because I do not have permission to post in the android dev forum. Thanks to j00m who helped post my ROM earlier in the dev forum, but I thought I should build up my posts to be able to post stuff myself too Here is another smaller system.img file that should work with stock hboot or blackrose (not tested) and has the home button working. The ROM should be considered alpha quality at best as is with other CM9 ROMs.
(system.img)
http://www.mediafire.com/?9lcz59qq8s1qgvb
boot.img (if you have one from drewis' alphas, you do not need to flash this.)
http://www.mediafire.com/?kilz59rjc8kug1m
Be sure to wipe data/cache before reboot. You should be able to use the google apps from userdata.img from one of drewis's alphas.
The ROM is built from CM9, with my changes to make use of the adreno GL drivers. Credits are due to the CM team and all whose code is included in CM9. There should be many to name and I do not want to miss out anyone who deserves credit.
Will post code changes soon. Need to clean it up. Hence the delay.
I hope that when I have enough posts to be privileged, this thread can be moved into the dev forum.
Enjoy!!
Here is the source patch.
diff --git a/frameworks/base/libs/gui/SurfaceTexture.cpp b/frameworks/base/libs/gui/SurfaceTexture.cpp
index c72a45b..9e425e3 100644
--- a/libs/gui/SurfaceTexture.cpp
+++ b/libs/gui/SurfaceTexture.cpp
@@ -246,6 +246,8 @@ status_t SurfaceTexture::requestBuffer(int slot, sp<GraphicBuffer>* buf) {
return NO_ERROR;
}
+#define MAX_SLEEPTIMEOUTS (5)
+
status_t SurfaceTexture::dequeueBuffer(int *outBuf, uint32_t w, uint32_t h,
uint32_t format, uint32_t usage) {
ST_LOGV("SurfaceTexture::dequeueBuffer");
@@ -262,6 +264,9 @@ status_t SurfaceTexture::dequeueBuffer(int *outBuf, uint32_t w, uint32_t h,
int found, foundSync;
int dequeuedCount = 0;
bool tryAgain = true;
+ int sleepTimeouts = 0;
+ bool eglWorkAround = true;
+
while (tryAgain) {
if (mAbandoned) {
ST_LOGE("dequeueBuffer: SurfaceTexture has been abandoned!");
@@ -342,6 +347,21 @@ status_t SurfaceTexture::dequeueBuffer(int *outBuf, uint32_t w, uint32_t h,
// clients are not allowed to dequeue more than one buffer
// if they didn't set a buffer count.
if (!mClientBufferCount && dequeuedCount) {
+ LOGV("SurfaceTexture::dequeue: Not allowed to dequeue more than a "
+ "buffer\n");
+ if (eglWorkAround) {
+ if (sleepTimeouts++ < MAX_SLEEPTIMEOUTS) {
+ LOGD("SurfaceTexture::dequeue: Not allowed to dequeue more "
+ "than a buffer SLEEPING\n");
+ usleep(100000);
+ } else {
+ mClientBufferCount = mServerBufferCount;
+ LOGD("SurfaceTexture::dequeue: Not allowed to dequeue more "
+ "than a buffer RETRY mBufferCount:%d mServerBufferCount:%d\n",
+ mBufferCount, mServerBufferCount);
+ }
+ continue;
+ }
return -EINVAL;
}
@@ -353,6 +373,13 @@ status_t SurfaceTexture::dequeueBuffer(int *outBuf, uint32_t w, uint32_t h,
// than allowed.
const int avail = mBufferCount - (dequeuedCount+1);
if (avail < (MIN_UNDEQUEUED_BUFFERS-int(mSynchronousMode))) {
+ if (eglWorkAround && mClientBufferCount != 0) {
+ mBufferCount++;
+ mClientBufferCount = mServerBufferCount = mBufferCount;
+ LOGD("SurfaceTexture::dequeuebuffer: MIN EXCEEDED "
+ "mBuffer:%d bumped\n", mBufferCount);
+ continue;
+ }
ST_LOGE("dequeueBuffer: MIN_UNDEQUEUED_BUFFERS=%d exceeded "
"(dequeued=%d)",
MIN_UNDEQUEUED_BUFFERS-int(mSynchronousMode),
@@ -700,8 +727,8 @@ status_t SurfaceTexture::updateTexImage() {
ST_LOGW("updateTexImage: clearing GL error: %#04x", error);
}
- glBindTexture(mTexTarget, mTexName);
- glEGLImageTargetTexture2DOES(mTexTarget, (GLeglImageOES)image);
+ glBindTexture(getCurrentTextureTarget(), mTexName);
+ glEGLImageTargetTexture2DOES(getCurrentTextureTarget(), (GLeglImageOES)image);
bool failed = false;
while ((error = glGetError()) != GL_NO_ERROR) {
@@ -736,7 +763,7 @@ status_t SurfaceTexture::updateTexImage() {
mDequeueCondition.signal();
} else {
// We always bind the texture even if we don't update its contents.
- glBindTexture(mTexTarget, mTexName);
+ glBindTexture(getCurrentTextureTarget(), mTexName);
}
return OK;
@@ -762,6 +789,9 @@ bool SurfaceTexture::isExternalFormat(uint32_t format)
}
GLenum SurfaceTexture::getCurrentTextureTarget() const {
+ if (mTexTarget == GL_TEXTURE_EXTERNAL_OES) {
+ return GL_TEXTURE_2D;
+ }
return mTexTarget;
}
diff --git a/frameworks/base/services/surfaceflinger/Layer.cpp b/frameworks/base/services/surfaceflinger/Layer.cpp
index 317cc3b..9e92e81 100644
--- a/services/surfaceflinger/Layer.cpp
+++ b/services/surfaceflinger/Layer.cpp
@@ -40,6 +40,8 @@
#include "SurfaceTextureLayer.h"
#define DEBUG_RESIZE 0
+#define GL_TEXTURE_EXTERNAL_OES GL_TEXTURE_2D
+
namespace android {
diff --git a/device/htc/passion-common/BoardConfigCommon.mk b/device/htc/passion-common/BoardConfigCommon.mk
index b86c580..e17da36 100644
--- a/BoardConfigCommon.mk
+++ b/BoardConfigCommon.mk
@@ -73,7 +73,7 @@ BOARD_VENDOR_USE_AKMD := akm8973
## Hardware rendering
## doesn't actually work until we have hwcomposer
-USE_OPENGL_RENDERER := true
+USE_OPENGL_RENDERER := false
BOARD_EGL_CFG := device/htc/passion-common/egl.cfg
## for rmcc egl hack
COMMON_GLOBAL_CFLAGS += \
On Media fire:
http://www.mediafire.com/?dxzyyfzzp9m6fu8
It works with OPENGL_RENDERER := true as well, but is quite slow and crashes often, with OPENGL_RENDERER := false things are much more stable and usable as is the ROM posted above.
Thanks.
Good job guy.Keep it up ,waiting for next version
mori90 said:
Good job guy.Keep it up ,waiting for next version
Click to expand...
Click to collapse
+1 Agreed. Cant wait to see what you and texasice does next.
Confirm it is working with blackrose. But what i noticed:
-Superuser crashes when trying to update the su binary.
-My USM App is corrupted. Filesize is 12 kb, instead of 38. When trying to use it (activate UMS) it prompts a toast saying "Superuser permission denied", but it doesn't even promt the request popup before; though there is no entry in the Superuser App list.
EDIT: After rm Superuser.apk and flashing the signed Superuser zip via recovery, using su works now.
That made it possible to use the UMS App again and also to use Titanium to restore all Gapps (incl. Account Setup).
Could you check the permissions on the actual su binary itself?
rapmv78 said:
Could you check the permissions on the actual su binary itself?
Click to expand...
Click to collapse
not any longer. :/ (see edited post above) btw: did you made any changes to my ums app? noticed the smaller file size and seems like some notifications are not there any longer!?
Most likely that the permission got fixed when you flashed the Superuser zip file. Good to know it is resolved. Have you seen any other issues pertaining to graphics? I am just curious to know how GL works for others
rapmv78 said:
Have you seen any other issues pertaining to graphics? I am just curious to know how GL works for others
Click to expand...
Click to collapse
So far not. Everything is fine. Played a few videos with diefferent formats without any issues amd now i'm populating the system with apps and restoring settings.. One thing (not gl related) i'm struggeling with, is to get the market running. for whatever reason every version i installed opens fine, let me connect to my google account but then says network error (in wifi and also mobile data mode). Same error with Maps.. I'll post updates as soon as i have some. But beside this, everything looks really good. Meanwhile i can offer a system report if that helps you to get any information: http://www.nahklick.de/user/stephan/android_report.html
Bexton said:
So far not. Everything is fine. Played a few videos with diefferent formats without any issues amd now i'm populating the system with apps and restoring settings.. One thing (not gl related) i'm struggeling with, is to get the market running. for whatever reason every version i installed opens fine, let me connect to my google account but then says network error (in wifi and also mobile data mode). Same error with Maps.. I'll post updates as soon as i have some. But beside this, everything looks really good. Meanwhile i can offer a system report if that helps you to get any information: http://www.nahklick.de/user/stephan/android_report.html
Click to expand...
Click to collapse
Regarding the market, did you try clearing the cache for the app and reboot (the usual method iirc) ? System report looks fine. Thanks.
rapmv78 said:
Regarding the market, did you try clearing the cache for the app and reboot (the usual method iirc) ?
Click to expand...
Click to collapse
yep, didn't solved it!? but stopped trying now.
at the moment i'm watching spiderman 3 in 720p x264 mkv format. trailer worked fine. full movie judderes a bit from time to time but it is running for 15 minutes now without hanging up or whatever.
edit: 1080p also works but is really slow and the judder effect is much bigger.
Thread moved to dev section and link to mediafire ok
What's working and what's not?
imfloflo said:
Thread moved to dev section and link to mediafire ok
Click to expand...
Click to collapse
second post, the link to media fire is not ok!
@j00m Fix
Thread moved in General Section to allow OP to respond for the moment
This ROM enables hardware acceleration for most of the tasks as used to be in gingerbread. Am interested in knowing the experience of others using this mod.
Thanks.
Trackball wakeup will have next next... version,right ???
Why this ver. is working perfect on wifi(Static IP) but texasice version is not ??
I am not sure about the difference with static IP working in this ROM v/s texas ice's. Also since I posted the source code and is in CM9, you should just be able to get more features out of the other ROMs than you would from me This ROM was more of a proof of concept to see if openGL acceleration patch was usable and looks like it does. Thanks for your help in testing it. I do not have any plans to release new ROMs, as all I would be doing is pull the code and compiling it, without any value add from my side (now that the code has already been merged).
The mod can actually close this thread if need be.
Thanks.
what's working and what's not?

A10.1IT G8: Do we have multi-touch?

Did anyone get http://labs.teague.com/projects/ChordedKeyboard/ working on A10.1IT G8?
we have multitouch but with just up to 2 points.
So u can't play a piano with more then 2 fingers at the same time...
I didn't try the app.
I've heard rumours that this is a software limitiation, not hardware.
BTW, the site I mentioned is not an app, it's a web page.
sciurius said:
I've heard rumours that this is a software limitiation, not hardware.
Click to expand...
Click to collapse
As far as I could understand, it's a "software limitation", but the problem is that to eliminate this limitation, a new touchscreen driver must be written. Honestly, I think that even if all needed specs and sources for it are available (I doubt it), there're not many people around able to write device drivers, and even less are interested in developing this particular driver...
A bit of info about A101g8 is here: http://forum.xda-developers.com/showpost.php?p=21095289&postcount=60
In GPL'ed 2.6.29-omap1 gen8 kernel touchscreen driver is called "hanvon" (probably, after Hanvon-10, a Chinese tablet), and also a generic dualtouch driver for Pixcir is included in the latest mainline kernels.
oh if it software realtes we schold be able to fine some info in the datasheets of the controller - lets have a look
Thanks to schollbert we know:
Touchscreen subsystem
• Pixcir capacitiv touchscreen unit (TR16C0 controller, USB interface)
• Ti USB hub
EDIT:
hmm the "datasheet" schollbert had is a brouchure - in chineese...
but its telling 2-10 fingers... if i got it right
As far as I could understand, the touchscreen driver (hanvon.c) in GPL'ed 2.6.29-omap1 has some implementation of the "multitouch protocol A" (i.e. the old one, superseded by "protocol B" in recent mainline kernels). At least, it issues necessary ABS events.
The device itself maps to /dev/input/event3 and /dev/input/event4, but event4 seems not working.
The problem is that tslib driver (at least, its older versions) refuses to work with hanvon, because hanvon doesn't issue all necessary events out of the box (namely, it lacks ABS_PRESSURE). On some forum I found someone with similar problem and, strangely, but only a little dirty fix was needed to make hanvon and tslib friends:
Code:
--- hid-hanvon.c.old 2012-01-04 21:17:34.000000000 +0400
+++ hid-hanvon.c 2012-03-10 19:30:59.822992148 +0400
@@ -110,6 +110,7 @@
#ifdef CONFIG_HID_HANVON_10_MONO_TSP_EMULATION
input_event(td->dev, EV_KEY, BTN_TOUCH, 0);
+ input_event(td->dev, EV_ABS, ABS_PRESSURE, 0); // little dirty fix for tslib
input_sync(td->dev);
#endif
@@ -171,6 +172,7 @@
/* touchscreen emulation */
hid_map_usage(hi, usage, bit, max,
EV_KEY, BTN_TOUCH);
+ input_set_abs_params(hi->input, ABS_PRESSURE, 0, 1, 0, 0); // little dirty fix for tslib
return 1;
case HID_DG_TIPSWITCH:
@@ -238,6 +240,7 @@
#ifdef CONFIG_HID_HANVON_10_MONO_TSP_EMULATION
// issue button press
input_event(input, EV_KEY, BTN_TOUCH, 1);
+ input_event(input, EV_ABS, ABS_PRESSURE, 1); // little dirty fix for tslib
#endif
// next time, we'll only rearm timer and
// issue position update if ts emulation.
@@ -297,6 +300,7 @@
#ifdef CONFIG_HID_HANVON_10_MONO_TSP_EMULATION
// issue button release
input_event(input, EV_KEY, BTN_TOUCH, 0);
+ input_event(input, EV_ABS, ABS_PRESSURE, 0); // little dirty fix for tslib
input_sync(input);
#endif
// start debouncer.
This patch reports support of ABS_PRESSURE, and also issues this event together with BTN_TOUCH in TSP emulation mode (not sure if it's needed, though).
I'm not sure how real "multitouch" and "dualtouch" must look like, but now when I start ts_test and press two fingers in Draw mode -- it successfully draws a line between them...
In theory, it seems possible to port multitouch support from recent mainline kernels to 2.6.29-omap1, but practically it requires very good coding skills and some time.

Huawei Open-Source Release - Broadcom DHD Open-Source Driver for S7 Froyo Working

Found this on Huawei's webpage: http://www.huaweidevice.com/worldwi...=toDownloadFile&flay=software&softid=NDcwODE=
open source_wlan.tar_S7_Android2.2
Would be nice if someone has the time to look at this.
The binary file that shipped with my Huawei firmware has version 4.218.248.17
Edit:
Tested and working. Forgot to update text here.
Mirrored the file for convenience for everyone who wants this. The first link actually was wrong, so I changed it.
Put this in an Android tree (such as /hardware/broadcom), do breakfast/lunch after envsetup, and perform 'make dhdko' with the kernel files present at /kernel. This is for Froyo. To build for Gingerbread, LOCAL_MODULE_TAGS cannot be equal to 'user', so you need to change Android.mk to say 'optional' instead. That's if you want to use Android.mk to build. If you are not building the whole tree, remember to make a folder /lib/modules/, or dhd.ko will not copy from the product obj folder properly.
Not sure how this will build for ICS/Jellybean, but at least now we have the source code that actually builds a proper module.
Kernel objects need to be in the right place. I did something to the effect of:
make -C kernel O=/sources/aosp/out/target/product/s7/obj/KERNEL_OBJ ARCH=arm CROSS_COMPILE=arm-eabi-
Built module works fine and is the same version shipped with Android 2.2 (4.218.248.17).
The driver is actually eerily similar to the bcm4329 kernel 3.4 bcm4329 driver. So much so i figured out what caused the sdio timeout.
Offending code causing emulate domain manager error om 2.6.35 when removed, sdio timeout when added:
dhd_linux.c:
Code:
static int
dhd_watchdog_thread(void *data)
{
dhd_info_t *dhd = (dhd_info_t *)data;
/* This thread doesn't need any user-level access,
* so get rid of all our resources
*/
#ifdef DHD_SCHED
if (dhd_watchdog_prio > 0) {
struct sched_param param;
param.sched_priority = (dhd_watchdog_prio < MAX_RT_PRIO)?
dhd_watchdog_prio:(MAX_RT_PRIO-1);
setScheduler(current, SCHED_FIFO, &param);
}
#endif /* DHD_SCHED */
DAEMONIZE("dhd_watchdog");
/* Run until signal received */
while (1) {
if (down_interruptible (&dhd->watchdog_sem) == 0) {
offender---------> dhd_os_sdlock(&dhd->pub);
if (dhd->pub.dongle_reset == FALSE) {
For kernels : http://threader.zapto.org/experimental/s7/wifi/bcm4329-30-09-13.tar.bz2

[Root][4.4.2 ND7]GhettoRoot (Towelroot port) v0.3.2

GhettoRoot (Towelroot port) v0.3.0.1, v0.3.2 Testing (looking for new owner)
Code:
*** Disclaimer
This project is licensed under the GPLv3. Bundled third-party components
have different licenses, but these components are bundled or downloaded
as separate executables; all appropriate LICENSE files are included, along
with links to source code.
THIS UTILITY MAKES USE OF A KERNEL EXPLOIT TO GAIN ROOT PRIVILEGES
AND MAKE MODIFICATIONS TO YOUR DEVICE'S FILESYSTEM. IT WILL
PROBABLY WILL VOID YOUR WARRANTY. IF YOU DO NOT FOLLOW THE
INSTRUCTIONS, YOU COULD END UP WITH A BRICK. EVEN IF YOU DO
FOLLOW THE INSTRUCTIONS, YOU MIGHT END UP WITH A BRICK.
ROOTING IS A POTENTIALLY DANGEROUS PROCESS AND, WHILE I WILL TRY
TO HELP IF YOU HAVE TROUBLE, I CANNOT ACCEPT RESPONSIBILITY
FOR RANDOM MISFORTUNE, COSMIC RAYS, ETC.
Help Wanted
My activity with this project will be diminishing. As far as I know, everything as of now "just works" with the SCH-I605, and that's all I really wanted to accomplish from the start. I'm hoping someone will take it over -- ideally someone who'd be willing to look into fixing the code to support other devices. It's open-source, so you can start looking at it now and see if you're interested. Compiling is simple... Just install the NDK and use ndk-build, or 'make' in Linux.
If you'd like to take over the development, and you've worked on projects like this before, I'd greatly appreciate it; perhaps we can get a mod to transfer this thread to you, or you're free to start a new one. After a certain point, I'll stop monitoring threads and messages, so you're free to go ahead and take charge without waiting to hear from me, if you'd like.
Post elsewhere, if you'd like, to let people know that this code is available and might be adjustable for other devices. It really shouldn't be difficult for someone with a background with this stuff.
Problematic areas are likely the iov code (search "Not sure if this is entirely correct") and also the limit_offset stuff (search "ph->limit_offset != 0"), but I have no way of knowing for sure if there's anything wrong with limit_offset since I don't have an applicable Samsung device. There are scattered references to the sources I used to figure out some of this in the README and in ghettoroot.c itself.
That's all, folks. Thanks.
Introduction
This is an automatic root method for your Note 2 (or, potentially, other device) based on code for the CVE-2014-3153 exploit.Unlike towelroot, it is a tethered root in that it requires you to connect your device to a computer to perform the root. However, it only requires a computer the one time; root sticks.
This code appears to have been reverse-engineered from towelroot itself (but not the latest version), so Geohot gets the credit for this one. This is more like a bugfix which only works (for sure) with the Verizon Galaxy Note II so far. The changes from the towelroot-equivalent exploit code are incredibly minimal. Only a few lines of code need really be changed to get it working, but devices incompatible with towelroot are becoming ghetto, so there wasn't a lot of motivation for the problems to be investigated.
GhettoRoot attempts to walk you through the prerequisites for the rooting process and give you hints if there are problems; it does the dirty work itself.
Click to expand...
Click to collapse
Installation instructions
Please see the LICENSE file for details on copying and usage (GPLv3).
This software will attempt to root your device and might void its warranty.
Please BACK UP ANYTHING IMPORTANT before continuing.
Note: By default, v0.3.0.1 attempts to disable Knox and OTA update packages.
If you'd rather this not happen, scroll to CONFIGURATION.
Install USB drivers for your device if needed, for Windows.
Koush's drivers are a good bet. 'Download Windows Installer', and run:
https://github.com/koush/UniversalAdbDriver
Download the busybox-arm4vl binary. The installer will help you with this.
You can get it manually from http://www.busybox.net, specifically from
http://www.busybox.net/downloads/binaries/latest
Place the binary in the files/ folder. It will be automatically renamed
to 'busybox'.
Enable USB debugging. If necessary, go to 'About device' under Settings and tap
the Build number several times to enable the Developer options. Go back, and
go to Developer options, and enable USB debugging there.
Plug in your device to your computer.
Unlock your device's lockscreen if it is locked.
Manually choose a USB mode from the notification, or wait for the Installer mode
phase of USB to end, which takes about 30 seconds. If your device does not have
an Installer mode, skip this. If you're not sure, just wait the 30 seconds.
If/when a popup appears asking for authorization for your PC, allow it.
If a popup does not appear and has never appeared before, or you clicked Cancel,
or you're just having a lot of trouble, go to Developer option and toggle USB
debugging off and on again. Then, try again. You may need to disconnect and re-
connect your device or tap Revoke USB authorization if nothing seems to help.
On Linux or OS X, enter a terminal at the folder you extracted the zip file to,
and type chmod +x INSTALL.sh.
To run, execute INSTALL.cmd on Windows.
On Linux or OS X, type the following in the same terminal: ./INSTALL.sh
Follow the on-screen instructions.
Click to expand...
Click to collapse
Configuration
v0.3.2 config.txt details:
Code:
Open up config.txt, and customize as follows, adding or removing arguments
as you see fit. It should always start with ./root.sh
*** ENSURE THE CONTENTS OF config.txt IS A *SINGLE LINE*.
*** COMMENTS WITHIN config.txt ARE NOT PERMITTED.
Default: ./root.sh --root --deknox --deota --desurveillance
Former default: ./root.sh --root --disable-knox --disable-ota
Usage: ./root.sh [OPTION] [COMMAND]
With no arguments, --root is implied.
Main options
--root, --supersu Install SuperSU (permaroot)
--deknox Remove Knox (recommended)
--deota Remove OTA packages (recommended)
--debloat Remove Bloat (recommended)
--desurveillance Remove some surveillance (recommended)
--disable-ota Disable OTA update-related packages
--disable-knox Disable Knox packages
--really-remove Actually remove things instead of
putting them in $jaildir
--undo Try to undo the specified option.
If you had used --really-remove then
it won't work for deknox, debloat, deota.
Anti-convenience options
--no-mount-rw Don't mount / and /system read-write
--no-sepermissive Don't set SEAndroid to permissive
--no-chmod-scripts Don't chmod 0755 all scripts in
$TMPDIR
COMMAND: Command to be run after other options.
Arguments may follow.
If unspecified, will look for and run custom.sh.
ex. ./root.sh --root
./root.sh --root --undo
./root.sh --root --deknox --deota --debloat
./root.sh cp /sdcard/build.prop /system/build.prop
[/HIDE]
Thanks To/Credits
Code:
geohot for developing [URL="http://forum.xda-developers.com/showthread.php?t=2783157"][U]towelroot[/U][/URL], on which
this code is DIRECTLY based! Reverse-engineered/decompiled, but not by me.
I don't think anyone had a licensing claim on towelroot or this code so I made it GPLv3.
fi01 for his shared [URL="https://gist.github.com/fi01/a838dea63323c7c003cd"][U]exploit code[/U][/URL] on github:
tinyhack.com for the [URL="http://tinyhack.com/2014/07/07/exploiting-the-futex-bug-and-uncovering-towelroot/"][U]helpful post on the Futex bug[/U][/URL]:
chainfire, for [URL="http://forum.xda-developers.com/showthread.php?t=1538053"][U]SuperSU[/U][/URL]!
THANK YOU for the lenient distribution policy.
NetworkingPro at xda-developers for the assistance to all. :)
Other folks at xda-developers for testing and offering support.
Google, of course, and the Android Open Source Project.
Changelog & Download
A note on v0.3.2 Testing:
Code:
WARNING: ESPECIALLY with this version, PLEASE make sure you have backups of
your important applications and their data!
Alternatively, you might be safer changing config.txt to the
old value as listed below.
Code:
This version is called 'Testing' because I haven't really had time to test it
fully, and there's a bunch of new stuff, namely the de* (*-removal) scripts.
I DON'T KNOW HOW WELL THE DE* CODE WORKS. You may want to give me some time
to see how my device holds up before testing yourself, or check out
files/root.sh to see what the new stuff does, but I do need other people to
test as well, so I've changed the config.txt to include the new features,
sans --debloat.
If you DO NOT want to try the new features, change config.txt to the following:
./root.sh --root --disable-knox --disable-ota
However, even the --disable-knox and --disable-ota code has changed.
Your mileage may vary!
Search files/root.sh for ### DEBLOAT, ### DEKNOX, ### DEOTA, ## DESURVEILLANCE,
etc. to see exactly what they do.
Code:
Current changelog: [U][B][URL="http://forum.xda-developers.com/devdb/project/dl/?id=8457"]v0.3.2 [I]Testing[/I][/URL][/B][/U] (2014/09/08)
[fixed?] drowsy attempt to fix a silly bug with default modstring
[new] new default config.txt: --deknox, --deota, --desurveillance
[new] --deknox, --deota, --debloat, --desurveillance, --really-remove,
--undo features added. See README.txt or search files/root.sh
for ### DEBLOAT, ### DEKNOX, ### DEOTA, ## DESURVEILLANCE,
etc. to see exactly what they do.
[change] starting to change verbage from 'phone' to 'device'
[note] v0.3.1 would have been too confusing, so straight to v0.3.2.
[U][B][URL="http://forum.xda-developers.com/devdb/project/dl/?id=8439"]Download v0.3.0.1[/URL][/B][/U] (2014/09/07)
[fixed] Issue with find.exe when other find executables are in PATH.
[URL="http://forum.xda-developers.com/devdb/project/dl/?id=8438"]v0.3.0 (2014/09/07)[/URL]
[new] License: this project is licensed under GPLv3.
[new] Added ADB binaries for Linux and Mac OS X.
[note] This means we have experimental & untested support for Intel Macs
[changed] Restructuring of post-root procedures:
No more hard-coded commands for installing SuperSU, etc.
These things are present in files/root.sh instead, and
may be freely edited.
[changed] Command-line parameters have DRASTICALLY changed.
See the README.txt.
[new] Added modstrings.txt, config.txt
[changed] Busybox no longer bundled due to licensing concerns;
curl added for downloading busybox, instead.
Older changelogs:
Code:
v0.2.2 (2014/09/04)
Fixed INSTALL.cmd hanging when launching ADB, or not running
properly as an administrator.
Further improved error handling, with more detailed steps for
troubleshooting, and retries.
User acknowledgment now required for certain tasks with (Y/N).
Fixed date on previous update being in the future... Hmm...
v0.2.1 (2014/09/03)
** pulled, did not fix adb hang issue after all **
v0.2 (2014/09/03)
Code cleaned up a bit, but still gives verbose debug messages
since they might be important. Can disable those with --brief.
Some error handling in the install script.
Everything is orchestrated from a single batch file ("one-click",
though multiple scripts are still used internally).
Should work properly with Windows and Linux, and come
bundled with ADB for Windows. Thanks, NetworkingPro!
v0.1 (2014/08/31)
Initial release.
LINK TO FORMER THREAD HERE
Apologies in advance for any kind of faux pas I've made or rule I've broken. There always seems to be something...
Code:
* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * *
* GhettoRoot is free software: you can redistribute it and/or modify *
* it under the terms of the GNU General Public License as published by *
* the Free Software Foundation, either version 3 of the License, or *
* (at your option) any later version. *
* *
* GhettoRoot is distributed in the hope that it will be useful, *
* but WITHOUT ANY WARRANTY; without even the implied warranty of *
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the *
* GNU General Public License for more details. *
* *
* You should have received a copy of the GNU General Public License *
* along with GhettoRoot. If not, see <http://www.gnu.org/licenses/>. *
* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * *
hmmm
If I hadn't just killed my phone (perma red angry text of death) I would definitely help test. Of course you have me to thank as well. Why? Because I knew as soon as I broke my phone, or upgraded someone would come out with a root fix. So you're welcome. However there is still a good chance that the new "probably very used" replacement phone I get from Verizon will be 4.4.2 already so then I will try this out. Unless this is some sort of very cruel trick played on those of us that can't afford to upgrade our phones every other month, in which case shame on you, and I will still try it until I am blue in the face. And crying.
J_3dgar_H00v3r said:
If I hadn't just killed my phone (perma red angry text of death) I would definitely help test. Of course you have me to thank as well. Why? Because I knew as soon as I broke my phone, or upgraded someone would come out with a root fix. So you're welcome. However there is still a good chance that the new "probably very used" replacement phone I get from Verizon will be 4.4.2 already so then I will try this out. Unless this is some sort of very cruel trick played on those of us that can't afford to upgrade our phones every other month, in which case shame on you, and I will still try it until I am blue in the face. And crying.
Click to expand...
Click to collapse
Nope, not a trick! My username looks a bit dubious even to me, but it was randomly generated by KeePass.
I am getting, "error: device unauthorized. Please check the confirmation dialog on your device." I am not getting anything on my phone. Any thoughts?
Im testing this now. Will let you know in a few mins. So far, so good.
Edit: This worked like a champ for me. Root achieved. For anyone wanting to do this, please follow these steps:
Run clean.cmd
Run prepare.cmd
Run root.cmd
Do these in this order. I went ahead and added a pause to each batch (Except root.bat that already had one) to ensure everything was kicking off as expected. Sorry if this was outlined in the OP, but Im sort of a "D personality" and wont read a lot of fluff.
Thanks!
Seems to be running good here to ... some more fiddling and see how things go but I now have root on 4.4.2. Thanks
Update: no problems also Knox has NOT been tripped and no other issues.
Worked for me!
I tried this, and it worked like a charm. So far, no issues.
Thank you!!!
=D
i dont think i've been this excited since safestrap was in the works for the N2!!! cant wait to try this when i get home!!! thanks dev
I still don't have root. Not sure what went wrong. My phone restarted like it was supposed to but not root.
NetworkingPro said:
Im testing this now. Will let you know in a few mins. So far, so good.
Edit: This worked like a champ for me. Root achieved. For anyone wanting to do this, please follow these steps:
Run clean.cmd
Run prepare.cmd
Run root.cmd
Do these in this order. I went ahead and added a pause to each batch (Except root.bat that already had one) to ensure everything was kicking off as expected. Sorry if this was outlined in the OP, but Im sort of a "D personality" and wont read a lot of fluff.
Thanks!
Click to expand...
Click to collapse
Does clean.cmd wipe all data? I only ran root.cmd and the phone rebooted like it was supposed to, but Titanium Backup doesn't register my device as rooted.
Tkun said:
Does clean.cmd wipe all data? I only ran root.cmd and the phone rebooted like it was supposed to, but Titanium Backup doesn't register my device as rooted.
Click to expand...
Click to collapse
It just cleans up old root files that might have been part of previous root methods, or failed attempts.
NetworkingPro said:
It just cleans up old root files that might have been part of previous root methods, or failed attempts.
Click to expand...
Click to collapse
Thanks! Using your steps it worked and my phone is rooted!
Also, thanks OP for providing this solution! I was worried us 4.4.2 users would never again have root. I can finally backup and restore my apps again using Titanium Backup.
Tkun said:
Thanks! Using your steps it worked and my phone is rooted!
Also, thanks OP for providing this solution! I was worried us 4.4.2 users would never again have root. I can finally backup and restore my apps again using Titanium Backup.
Click to expand...
Click to collapse
Glad I could help, I went ahead and read through the source code before I did it, so had a pretty good idea of what it was doing.
---------- Post added at 10:38 PM ---------- Previous post was at 10:36 PM ----------
25yvdgpo06 said:
tl;dr: This is a modified version of [basically towelroot] to work with the Verizon Galaxy Note II (SCH-I605) VRUFND7 firmware.
Currently, a PC with the Prerequisites is required. If someone wants to package this into an APK, that's great and it may remove the PC requirement.
I'm too new to be allowed to post in the developer forums (which is probably for the best), and I don't consider myself much of a developer anyway, but with a couple sleepless nights, a little bit of determination, and a lot of sugar cereal (but not enough milk!!!!), I've modded some code based on Towelroot to get the CVE-2014-3153 exploit to work with our phone and its 3.0.31 kernel. Who knows - it might work with other phones, too, but this is the only one I have right now.
WARNINGS
YOUR MILEAGE MAY VARY. THIS WILL PROBABLY VOID YOUR WARRANTY. PLEASE BACK UP IMPORTANT FILES FIRST, JUST IN CASE AND AS A GOOD PRACTICE.
Your phone will reboot after rooting which could cause data loss if any apps are in the middle of writing data, so please close open apps and wait a few moments before rooting! If your phone is just starting up, give it some time to initialize before rooting. These recommendations should be followed prior to almost any automated reboot of your phone, but particularly when rooting.
This does not flash anything, so as far as I'm aware, it will not trip KNOX but I really don't know! It DOES try to disable KNOX, which might trip it. I don't know how any of that works.
There *shouldn't* be any problems with this, but if there are, keep in mind that you made the choice to try it, knowing it's relatively untested. As of first posting of the binary, I am the only person who has tested this.
PREREQUISITES
You will need access to a computer with the following things:
Android SDK
ADB in your PATH (in platform-tools at your Android SDK install path)
Your phone's USB drivers
USB debugging enabled
INSTRUCTIONS
Connect your phone to your computer.
Close any active applications on your phone so you don't lose data when your phone reboots. If your phone just started, give it time to initialize.
Once active apps are closed, wait 10-20 seconds or so for the phone to be done doing stuff.
With that out of the way, extract the zip file if you haven't already.
The procedure will execute immediately when running the scripts, so this is your last chance to back out! Do not proceed if you don't feel ready!
Run root.cmd on Windows, or root.sh on Linux and maybe OS X.
Allow your phone to reboot after the process, and enjoy root. Let me know if you got errors or it didn't work.
This has not happened to me (or anyone else to my knowledge, since I just released this), but if it goes into a loop trying to root and keeps failing, go ahead and CTRL-C to end it, and then close the command window. If worst comes to worst, shut off your phone or pull the battery.
QUESTIONS
Q. What's the difference between this and Towelroot, then?
A. There are a few modifications to the reverse-engineered source code of Towelroot, or at least I assume that's what the code is, since Towelroot isn't open source, as far as I know. There is a github link to that source at the top of ghettoroot.c, included in the zip file. You can do a diff comparing ghettoroot.c to the github code to see exactly what I changed.
Q. And this will get me rooted, even if I have a locked bootloader?
A. Yeah. It won't unlock your bootloader, though. If you find me some info on how the previous bootloader unlocks were found and/or what they involved, I might try to look into it...
Q. You mentioned command-line options. I tried out -? or --help and saw them but it's nearly impossible to read.
A. The help is a mess, but this usage message -- to be included in a future version -- should be more...useful.
The root.sh and root.cmd scripts should pass your arguments along to the ghettoroot binary, so where you see ghettoroot in the usage message, replace with ./root.sh (be sure to chmod +x it) or root.cmd.
Code:
Usage: ghettoroot METHOD ALIGN LIMIT_OFFSET HIT_IOV EXCLUDE_FEATURE
USERCMD USERARGV
All parameters are optional. The first non-number and following arguments
will be interpreted as the user command and user arguments.
ex. ghettoroot <-- runs with defaults, attempting to detect some settings
ghettoroot 0 1 0 4 0 <-- standard, default root for most phones.
ghettoroot mkdir /system/happyface <-- does everything, then that...
ghettoroot 0 1 0 4 7 cp /sdcard/build.prop /system/build.prop
^ copies a modified build.prop but does not permaroot, etc.
Formatting key: [Default value]PARAMETER NAME: value range: description
[0]METHOD: 0-sendmmsg, 1-recvmmsg, 2-sendmsg, 3-recvmsg:
This typically does not need to be changed.
[1]ALIGN: 0/1: attack all 8 IOVs hit with MAGIC
This behavior may/may not match up with original ALIGN behavior.
Currently, enabling this causes HIT_IOV to go unused.
[0]LIMIT_OFFSET: 0-8192: offset of addr_limit in thread_info, multiple of 4
If desperate, download manufacturer's kernel sources to check headers.
Rarely necessary, but 7380 is needed for newer Samsung phone models.
[4]HIT_IOV: 0-7: offset to rt_waiter in vulnerable futex_wait_requeue_pi.
see vulnerable futex_wait_requeue_pi function for your kernel if needed.
[0]EXCLUDE_FEATURE: 0-31: all features are enabled by default.
to disable, add up the numbers for any/all of the following features:
1 Install SuperSU
2 Disable Knox
4 Disable OTA Updates
8 SEAndroid Permissive (temporary)
16 Mount /, /system read-write (temporary)
Example values for EXCLUDE_FEATURE:
31 temp roots solely to run a user command, immediately after root.
Reboot is still required.
6 does *not* disable Knox or OTA, but installs SuperSU.
7 does *not* disable Knox or OTA updates, or install SuperSU.
Still remounts /, /system as rewrite and turns off SEAndroid.
Meant to be used with a user command, or else it is pointless.
USERCMD: Command to be run after all other enabled featuers, if any.
USERARGV: All further arguments are passed along to the user command.
I don't know how well any of those arguments are working. You shouldn't need any of them for this phone.
Q. I think ToiletRoot would have been a better name.
A. Hmm... Me too. Oh well.
CREDITS
GeoHot, developer of Towelroot, on which this is based, and without whom it would be impossible.
Chainfire, developer of SuperSU, which is bundled.
Somebody, developer/compiler of busybox, which is bundled. To be honest I don't know where it came from. It was lying around on my PC. I know, I know... just let me know if I really need to make my life revolve around fixing political issues like this and I will try.
fi01, person on Github sharing code publicly
Apologies in advance for some kind of faux pas I've made or rule I've broken. There always seems to be something(s).
Click to expand...
Click to collapse
Where did you pick this up at? I want to go ahead and rewrite it to be more efficient later tonight, but I kind of need to know where it came from?
---------- Post added at 10:39 PM ---------- Previous post was at 10:38 PM ----------
Oh well, screw it... I'll go ahead and clean it up later.
NetworkingPro said:
Glad I could help, I went ahead and read through the source code before I did it, so had a pretty good idea of what it was doing.
---------- Post added at 10:38 PM ---------- Previous post was at 10:36 PM ----------
Where did you pick this up at? I want to go ahead and rewrite it to be more efficient later tonight, but I kind of need to know where it came from?
---------- Post added at 10:39 PM ---------- Previous post was at 10:38 PM ----------
Oh well, screw it... I'll go ahead and clean it up later.
Click to expand...
Click to collapse
It is the first link at the top of ghettoroot.c, fi01's cube-towel.c page. (Every page linked in ghettoroot.c was helpful.)
I am planning to clean it up a bit myself this evening, but if someone wants to repackage the entire thing and re-post to a new thread, go for it! Or you can wait until I clean things up a little bit and then do it... Or just not. Whatever you want to do. I'm not very concerned about who gets credit for what, though a mention of my randomly-generated name might be nice.
Thanks to those who've helped others so far, and those who've shared success/failure.
EDIT: Wanted to point out that there were very few changes from fi01's original cube-towel.c code that were necessary to get the exploit itself to work. The rest is fluffy stuff, in addition to execution of useful commands once root was gained rather than being a proof-of-concept alone.
Here is *exactly* what was changed in the exploit code. Very minimal, you will see.
Setting of processor affinity added as recommended at tinyhack.com's "Exploiting the Futex Bug and uncovering Towelroot" post, and called in main():
Code:
void setaffinity()
{
pid_t pid = syscall(__NR_getpid);
int mask=1;
int syscallres = syscall(__NR_sched_setaffinity, pid, sizeof(mask), &mask);
if (syscallres)
{
printf("Error in the syscall setaffinity: mask=%d=0x%x err=%d=0x%x", mask, mask, errno, errno);
sleep(2);
printf("This could be bad, but what the heck... We'll try continuing anyway.");
sleep(2);
}
}
Change to IOV code, also using tinyhack.com recommendations:
From:
Code:
if (ph->l2 == 0) {
for (i = 0; i < 8; i++) {
msg_iov[i].iov_base = (void *)MAGIC;
msg_iov[i].iov_len = MAGIC_ALT;
}
}
else {
for (i = 0; i < 8; i++) {
msg_iov[i].iov_base = (void *)MAGIC;
msg_iov[i].iov_len = 0x10;
}
}
To:
Code:
// tbh i'm not really sure how this is supposed to look or work
// but it is working with note 2 as is with modstring 0 1 0 4
// and that is all i care about right now.
// see http://tinyhack.com/2014/07/07/exploiting-the-futex-bug-and-uncovering-towelroot/
for (i = 0; i < 8; i++) {
iov[i].iov_base = (void *)MAGIC;
if (ph->align == 0) {
if (i==ph->hit_iov) {
iov[i].iov_len = MAGIC_ALT;
}
else {
iov[i].iov_len = 0x10;
}
}
else {
iov[i].iov_len = MAGIC_ALT;
}
}
When searching through task structures for a credential to overwrite (to get us root), verify that the credential is in kernel address space, the same way the other pointers are verified. Otherwise, we're not in the right place in memory yet...
From:
Code:
if (task->cpu_timers[0].next == task->cpu_timers[0].prev && (unsigned long)task->cpu_timers[0].next > KERNEL_START
&& task->cpu_timers[1].next == task->cpu_timers[1].prev && (unsigned long)task->cpu_timers[1].next > KERNEL_START
&& task->cpu_timers[2].next == task->cpu_timers[2].prev && (unsigned long)task->cpu_timers[2].next > KERNEL_START
&& task->real_cred == task->cred) {
To:
Code:
if (task->cpu_timers[0].next == task->cpu_timers[0].prev && (unsigned long)task->cpu_timers[0].next > KERNEL_START
&& task->cpu_timers[1].next == task->cpu_timers[1].prev && (unsigned long)task->cpu_timers[1].next > KERNEL_START
&& task->cpu_timers[2].next == task->cpu_timers[2].prev && (unsigned long)task->cpu_timers[2].next > KERNEL_START
&& task->real_cred == task->cred && (unsigned long)task->cred > KERNEL_START) {
That's all that needed to be changed, keeping in mind none of us have seen the actual towelroot source code so some of these things may not even be necessary or may already be present there, leaving it up in the air why towelroot doesn't work for us. I would guess the IOVs were the issue, somehow, but at least with this code, the credential needed to be checked to be in kernel space as well. Did not test without setaffinity.
Droc1983 said:
I still don't have root. Not sure what went wrong. My phone restarted like it was supposed to but not root.
Click to expand...
Click to collapse
I had to Uninstall towel root apk. Now I have root access. Thank you.
My apologies...
alkitchen said:
I am getting, "error: device unauthorized. Please check the confirmation dialog on your device." I am not getting anything on my phone. Any thoughts?
Click to expand...
Click to collapse
My apologies, disregard my post... I ran it again this evening and it WORKED!! Thanks so much.
Now to try Safestrap...
25yvdgpo06 said:
It is the first link at the top of ghettoroot.c, fi01's cube-towel.c page. (Every page linked in ghettoroot.c was helpful.)
I am planning to clean it up a bit myself this evening, but if someone wants to repackage the entire thing and re-post to a new thread, go for it! Or you can wait until I clean things up a little bit and then do it... Or just not. Whatever you want to do. I'm not very concerned about who gets credit for what, though a mention of my randomly-generated name might be nice.
Thanks to those who've helped others so far, and those who've shared success/failure.
EDIT: Wanted to point out that there were very few changes from fi01's original cube-towel.c code that were necessary to get the exploit itself to work. The rest is fluffy stuff, in addition to execution of useful commands once root was gained rather than being a proof-of-concept alone.
Here is *exactly* what was changed in the exploit code. Very minimal, you will see.
Setting of processor affinity added as recommended at tinyhack.com's "Exploiting the Futex Bug and uncovering Towelroot" post, and called in main():
Code:
void setaffinity()
{
pid_t pid = syscall(__NR_getpid);
int mask=1;
int syscallres = syscall(__NR_sched_setaffinity, pid, sizeof(mask), &mask);
if (syscallres)
{
printf("Error in the syscall setaffinity: mask=%d=0x%x err=%d=0x%x", mask, mask, errno, errno);
sleep(2);
printf("This could be bad, but what the heck... We'll try continuing anyway.");
sleep(2);
}
}
Change to IOV code, also using tinyhack.com recommendations:
From:
Code:
if (ph->l2 == 0) {
for (i = 0; i < 8; i++) {
msg_iov[i].iov_base = (void *)MAGIC;
msg_iov[i].iov_len = MAGIC_ALT;
}
}
else {
for (i = 0; i < 8; i++) {
msg_iov[i].iov_base = (void *)MAGIC;
msg_iov[i].iov_len = 0x10;
}
}
To:
Code:
// tbh i'm not really sure how this is supposed to look or work
// but it is working with note 2 as is with modstring 0 1 0 4
// and that is all i care about right now.
// see http://tinyhack.com/2014/07/07/exploiting-the-futex-bug-and-uncovering-towelroot/
for (i = 0; i < 8; i++) {
iov[i].iov_base = (void *)MAGIC;
if (ph->align == 0) {
if (i==ph->hit_iov) {
iov[i].iov_len = MAGIC_ALT;
}
else {
iov[i].iov_len = 0x10;
}
}
else {
iov[i].iov_len = MAGIC_ALT;
}
}
When searching through task structures for a credential to overwrite (to get us root), verify that the credential is in kernel address space, the same way the other pointers are verified. Otherwise, we're not in the right place in memory yet...
From:
Code:
if (task->cpu_timers[0].next == task->cpu_timers[0].prev && (unsigned long)task->cpu_timers[0].next > KERNEL_START
&& task->cpu_timers[1].next == task->cpu_timers[1].prev && (unsigned long)task->cpu_timers[1].next > KERNEL_START
&& task->cpu_timers[2].next == task->cpu_timers[2].prev && (unsigned long)task->cpu_timers[2].next > KERNEL_START
&& task->real_cred == task->cred) {
To:
Code:
if (task->cpu_timers[0].next == task->cpu_timers[0].prev && (unsigned long)task->cpu_timers[0].next > KERNEL_START
&& task->cpu_timers[1].next == task->cpu_timers[1].prev && (unsigned long)task->cpu_timers[1].next > KERNEL_START
&& task->cpu_timers[2].next == task->cpu_timers[2].prev && (unsigned long)task->cpu_timers[2].next > KERNEL_START
&& task->real_cred == task->cred && (unsigned long)task->cred > KERNEL_START) {
That's all that needed to be changed, keeping in mind none of us have seen the actual towelroot source code so some of these things may not even be necessary or may already be present there, leaving it up in the air why towelroot doesn't work for us. I would guess the IOVs were the issue, somehow, but at least with this code, the credential needed to be checked to be in kernel space as well. Did not test without setaffinity.
Click to expand...
Click to collapse
I'll wait til you clean it up and then repackage. I don't care about credit either. I'll pm you my gtalk shortly.
I would like to try this. I have downloaded the SDK, however I do not have any idea what the ADB step means. Basically, I have no idea what I am doing and would appreciate a little help as far as making sure I have everything that needs downloaded. Thanks.
edit: Got it figured out!
Having trouble with safestrap. I installed apk and ran install recovery and grant root access but it says recovery not installed in the app.
Not working...
I'm seeing:
Unable to chmod /data/local/tmp/busybox: no such file or directory
sh: /data/local/tmp/busybox: not found
Could not find/unzip SuperSU: Success
Please place an UPDATE-SU-*.zip file in the mail folder before running the install script
Click to expand...
Click to collapse
Any help would be appreciated.

How to go about patching the kernel to get EHCI(USB 2.0) devices to behave like xHCI?

Basically, there has been an app ported to Android that allows even unrooted(stock) devices to deliver a bootrom exploit to the Nintendo Switch via USB-OTG and a USB cable (or C-to-C). USB 3.0 (xHCI) devices have no issues and deliver the exploit just fine. Apparently it is not even a USB 2.0 problem but rather how the EHCI performs, as certain USB 2.0 phones actually have the xHCI controller and can run the exploit just fine. What happens is that although it can detect the connected Switch in Tegra Recovery Mode, it just doesn't do anything and gives an error in the logs, "SUMBITURB failed".
On Linux desktop systems it is similar, but the exploit can still work with a kernel patch provided by a hacking group that discovered the exploit in the first place:
Code:
--- linux-4.14.27/drivers/usb/host/ehci-hcd.c.old 2018-04-17 18:00:00.000000000 +0000
+++ linux-4.14.27/drivers/usb/host/ehci-hcd.c 2018-04-17 18:00:00.000000000 +0000
@@ -873,14 +873,6 @@
INIT_LIST_HEAD (&qtd_list);
switch (usb_pipetype (urb->pipe)) {
- case PIPE_CONTROL:
- /* qh_completions() code doesn't handle all the fault cases
- * in multi-TD control transfers. Even 1KB is rare anyway.
- */
- if (urb->transfer_buffer_length > (16 * 1024))
- return -EMSGSIZE;
- /* FALLTHROUGH */
- /* case PIPE_BULK: */
default:
if (!qh_urb_transaction (ehci, urb, &qtd_list, mem_flags))
return -ENOMEM;
The author of the Android port had also written a Python "hotpatch" script for desktop Linux systems:
Code:
#!/usr/bin/env python3
import os
"""
Cursed Code.
This code literally patches your kernel memory, proceed at your own risk.
Tested on Ubuntu 17.10 and Arch, x86_64. Should work on other distros, maybe even other architectures!
Run fusee-launcher.py with the "--override-checks" argument.
If you'd rather patch your drivers properly:
https://github.com/fail0verflow/shofel2/blob/master/linux-ehci-enable-large-ctl-xfers.patch
"""
ksyms = {
line[2]: int(line[0], 16)
for line in
map(lambda l: l.strip().split(),
open("/proc/kallsyms", "r").readlines())}
print(hex(ksyms["ehci_urb_enqueue"]))
patch_c = """
#include <linux/module.h>
#include <linux/kernel.h>
#include <asm/pgtable.h>
static u32 ORIG_MAX = 16*1024;
static u32 NEW_MAX = 0x1000000;
/* borrowed from MUSL because I'm lazy AF */
static char *fourbyte_memmem(const unsigned char *h, size_t k, const unsigned char *n)
{
uint32_t nw = n[0]<<24 | n[1]<<16 | n[2]<<8 | n[3];
uint32_t hw = h[0]<<24 | h[1]<<16 | h[2]<<8 | h[3];
for (h+=3, k-=3; k; k--, hw = hw<<8 | *++h)
if (hw == nw) return (char *)h-3;
return 0;
}
static pte_t* (*lookup_addr)(unsigned long, unsigned int*) = (void *) PLACE2;
static void set_addr_rw(unsigned long addr) {
unsigned int level;
pte_t *pte = lookup_addr(addr, &level);
set_pte_atomic(pte, pte_mkwrite(*pte));
}
int init_module(void) {
void * ehci_urb_enqueue_start = (void *) PLACEHOLDER;
u32 * patch_addr;
printk(KERN_INFO "Patch module loaded\\n");
patch_addr = (u32 *) fourbyte_memmem(ehci_urb_enqueue_start, 0x400, (void *)&ORIG_MAX);
if (patch_addr == NULL) {
printk(KERN_INFO "Failed to find patch site :(\\n");
return -1;
}
printk(KERN_INFO "patch_addr: 0x%px\\n", patch_addr);
set_addr_rw((unsigned long)patch_addr);
*patch_addr = NEW_MAX;
printk(KERN_INFO "Patching done!\\n");
return -1;
}
""".replace("PLACEHOLDER", hex(ksyms["ehci_urb_enqueue"])).replace("PLACE2", hex(ksyms["lookup_address"]))
makefile = """
obj-m += patch.o
all:
make -C /lib/modules/$(shell uname -r)/build M=$(PWD) modules
"""
with open("patch.c", "w") as patchfile:
patchfile.write(patch_c)
with open("Makefile", "w") as mf:
mf.write(makefile)
os.system("make")
print("About to insert patch module, 'Operation not permitted' means it probably worked, check dmesg output.")
os.system("insmod patch.ko")
I tried to see if running it in Termux would do anything but I got the following error:
Code:
0x0
Traceback (most recent call last):
File "ehci_patch.py", line 70, in <module>
" " ".replace("PLACEHOLDER", hex(ksyms["ehci_urb_enqueue"])).replace("PLACE2" hex(ksyms["lookup_address"]))
KeyError: 'lookup_address'
I know that script isn't meant for use on Android anyway but maybe it can lead to a solution. The author of it does not know how to go about it at this time either, but believes an entire recompile of the kernel would be necessary. I am hoping that something like a systemless Magisk module would be the easiest solution for users but do not know if that is possible. I am only guessing it might be possible to create a Magisk module because of audio drivers like VIPER4Android. If indeed a custom kernel is needed, does anyone know how to go about it? It could be difficult to implement for everyone because not everyone has a device where the source to the kernel is available, etc. I am willing, however, to test anything on my tablet which is USB 2.0 and gives the error in the app. Any advice for how to go about this will be greatly appreciated.
I feel ya man, i need this stuff too. NXLoader doesn't work on my Galaxy Grand Prime (G530T) and i really need it to Dx

Categories

Resources